API tools faq
paste
Advertisement
MalwareBreakdown

Cleaned and commented JavaScript

MalwareBreakdown
Feb 19th, 2017
10,545
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.61 KB | None | 0 0
raw download clone embed print report
  1. // this is an excerpt of the script tags in the original JS file
  2. // mainly to focus on the 'body' of the JS
  3.  
  4. mTop = top;
  5. mSelf = self;
  6. submited = false;
  7.  
  8. function submit() {
  9.  
  10. if (submited) {
  11. return false;
  12. }
  13.  
  14. submited = true;
  15.  
  16. ///////////////////////////////////////// the first eval() function call, when decoded returns the following block /////////////////////////////////////////
  17. var a;
  18. var b;
  19. var ix;
  20.  
  21. if(typeof window.innerWidth!='undefined') {
  22. a=window.innerWidth;
  23. b=window.innerHeight
  24. } else if(typeof document.documentElement!='undefined'&&typeof document.documentElement.clientWidth!='undefined'&&document.documentElement.clientWidth!=0) {
  25. a=document.documentElement.clientWidth;
  26. b=document.documentElement.clientHeight;
  27. } else {
  28. a=document.getElementsByTagName('body')[0].clientWidth;
  29. b=document.getElementsByTagName('body')[0].clientHeight;
  30. }
  31.  
  32. try {
  33. ix=window.self!==window.top?1:0
  34. } catch(e){
  35. ix=2;
  36. }
  37.  
  38. document.getElementById('a').value=a;
  39. document.getElementById('b').value=b;
  40. document.getElementById('ix').value=ix;
  41. /////////////////////////////////////////////////// end of the eval() decoding ///////////////////////////////////////////////////
  42.  
  43. var flash = 0;
  44. try {
  45. var FlashDetect=new function(){
  46. var self=this;
  47. self.installed=false;
  48. self.raw="";
  49. self.major=-1;
  50. self.minor=-1;
  51. self.revision=-1;
  52. self.revisionStr="";
  53. var activeXDetectRules=[
  54. // activeXDetection rules
  55. // looks like an structure of arrays that hold dictionary key-value pairs for "name" and "version"
  56. {"name":"ShockwaveFlash.ShockwaveFlash.7","version":function(obj){return getActiveXVersion(obj);}},
  57. {"name":"ShockwaveFlash.ShockwaveFlash.6","version":function(obj){var version="6,0,21";try{obj.AllowScriptAccess="always";version=getActiveXVersion(obj);}catch(err){}
  58. return version;}},
  59. {"name":"ShockwaveFlash.ShockwaveFlash","version":function(obj){return getActiveXVersion(obj);}}
  60. ];
  61.  
  62. // this method will take input of the activeXObj and the return value would be the version of activeX in use
  63. var getActiveXVersion=function(activeXObj){
  64. var version=-1;
  65. try{
  66. version=activeXObj.GetVariable("$version");
  67. }catch(err){}
  68. return version;
  69. }; // end getActiveXVersion function
  70.  
  71. // this method would be used to obtain the activeXObj given the input name
  72. var getActiveXObject=function(name){
  73. var obj=-1;
  74. try{
  75. obj=new ActiveXObject(name);
  76. }catch(err){
  77. obj={activeXError:true};
  78. }
  79. return obj;
  80. }; // end getActiveXObject function
  81.  
  82. // this is a method to parse out the ActiveXVersion that is in use, given a string input
  83. // return an array of dictionary key-value pairs major version, minor version, revision number, and revision string
  84. var parseActiveXVersion=function(str){
  85. var versionArray=str.split(",");
  86. return{"raw":str,"major":parseInt(versionArray[0].split(" ")[1],10),"minor":parseInt(versionArray[1],10),"revision":parseInt(versionArray[2],10),"revisionStr":versionArray[2]}; // end return
  87. }; // end parseActiveXVersion function
  88.  
  89. // this method is used to parse the standard version, given a string input
  90. // the return value is an array of dictionary key-value pairs major, minor, revision string, and revision number
  91. var parseStandardVersion=function(str){
  92. var descParts=str.split(/ +/);
  93. var majorMinor=descParts[2].split(/\./);
  94. var revisionStr=descParts[3];
  95. return{"raw":str,"major":parseInt(majorMinor[0],10),"minor":parseInt(majorMinor[1],10),"revisionStr":revisionStr,"revision":parseRevisionStrToInt(revisionStr)}; // end return
  96. }; // end parseStandardVersion function
  97.  
  98. // this method is to parse the revision string, given a string input
  99. // the return value is either parsed out or the current class revision value
  100. var parseRevisionStrToInt=function(str){
  101. return parseInt(str.replace(/[a-zA-Z]/g,""),10)||self.revision;
  102. }; // end parseRevisionsStrToInt function
  103.  
  104. // accepts the version as input
  105. // returns true if the class' major version is greater than or equal to the input version, otherwise false
  106. self.majorAtLeast=function(version){
  107. return self.major>=version;
  108. }; // end majorAtLeast function
  109.  
  110. // accepts the version as input
  111. // returns true if the class' minor version is greater than or equal to the input version, otherwise false
  112. self.minorAtLeast=function(version){
  113. return self.minor>=version;
  114. }; // end minorAtLeast function
  115.  
  116. // accepts the version as input
  117. // returns true if the class' revision number is greater than or equal to the input version, otherwise false
  118. self.revisionAtLeast=function(version){
  119. return self.revision>=version;
  120. }; // end revisionAtLeast function
  121.  
  122. // accepts the major version as input
  123. self.versionAtLeast=function(major){
  124. // creates a list of the major version, minor version, and version number
  125. var properties=[self.major,self.minor,self.revision];
  126.  
  127. // compares the length of the lists 'properties' and 'arguments' for which is shorter
  128. var len=Math.min(properties.length,arguments.length);
  129.  
  130. // iterate through the the lists (stopping condition is the shorter list's length)
  131. for(i=0;i<len;i++){
  132. // tests if the value at each index of the list 'properties' si greater than or equal to the value at each index of 'arguments'
  133. if(properties[i]>=arguments[i]){
  134. // if the versions match and we haven't run off the array, current for-loop iteration ends and proceed with the next
  135. if(i+1<len&&properties[i]==arguments[i]){
  136. continue;
  137. // this indicates the indexed value at 'properties' is greater than 'arguments' breakout and return true
  138. } else {
  139. return true;
  140. } // end inner if-else statement
  141. // otherwise the indexed value at 'properties' is greater than 'arguments' breakout and return false
  142. } else {
  143. return false;
  144. } // end outer if-else statement
  145. } // end for-loop
  146. }; // end versionAtLeast function
  147.  
  148.  
  149. self.FlashDetect=function(){
  150. if(navigator.plugins&&navigator.plugins.length>0){
  151. var type='application/x-shockwave-flash';
  152. var mimeTypes=navigator.mimeTypes;
  153. if(mimeTypes&&mimeTypes[type]&&mimeTypes[type].enabledPlugin&&mimeTypes[type].enabledPlugin.description){
  154. var version=mimeTypes[type].enabledPlugin.description;
  155. var versionObj=parseStandardVersion(version);
  156. self.raw=versionObj.raw;
  157. self.major=versionObj.major;
  158. self.minor=versionObj.minor;
  159. self.revisionStr=versionObj.revisionStr;
  160. self.revision=versionObj.revision;
  161. self.installed=true;
  162. }
  163. } else if(navigator.appVersion.indexOf("Mac")==-1&&window.execScript){
  164. var version=-1;
  165. for(var i=0;i<activeXDetectRules.length&&version==-1;i++){
  166. var obj=getActiveXObject(activeXDetectRules[i].name);
  167. if(!obj.activeXError){
  168. self.installed=true;
  169. version=activeXDetectRules[i].version(obj);
  170. if(version!=-1){
  171. var versionObj=parseActiveXVersion(version);
  172. self.raw=versionObj.raw;
  173. self.major=versionObj.major;
  174. self.minor=versionObj.minor;
  175. self.revision=versionObj.revision;
  176. self.revisionStr=versionObj.revisionStr;
  177. } // of if statement for 'version != -1'
  178. } // end of if statement for 'not activeXError'
  179. } // end of for-loop
  180. } // end of outermost if-elseif statement
  181. }(); // end FlashDetect constructor, no input parameters are passed
  182. }; // end the FlashDetect class
  183.  
  184. if (FlashDetect.major > 0) {
  185. flash = 1;
  186. }
  187. } catch (e) {
  188. flash = 2;
  189. } // end major try-catch block
  190.  
  191. window.document.getElementById("fs").value=flash;
  192.  
  193. ///////////////////////////////////////// the second eval() function call, when decoded returns the following block /////////////////////////////////////////
  194. // the try catch blocks will set the values in the QC array that are used to determine the user's browser width, user-agent, referrer, plugins, etc.
  195. var QC={};
  196.  
  197. try{
  198. QC.SW=window.screen.width;
  199. QC.SH=window.screen.width;
  200. } catch(e) {
  201. QC.SW=-1;
  202. QC.SH=-1;
  203. }
  204. try{
  205. QC.WX=window.screenX;
  206. QC.WY=window.screenY;
  207. } catch(e) {
  208. QC.WX=-1;
  209. QC.WY=-1;
  210. }
  211.  
  212. try{
  213. QC.WW=window.outerWidth;
  214. QC.WH=window.outerHeight
  215. } catch(e) {
  216. QC.WW=-1;
  217. QC.WH=-1;
  218. }
  219.  
  220. try{
  221. QC.WIW=window.innerWidth;
  222. QC.WIH=window.innerHeight;
  223. } catch(e) {
  224. QC.WIW=-1;
  225. QC.WIH=-1;
  226. }
  227.  
  228. // for the number of iframes that are currently existent and only send the existing iframes
  229. try{
  230. QC.WFC=window.top.frames.length;
  231. } catch(e) {
  232. QC.WFC=-1;
  233. }
  234.  
  235. try{
  236. QC.PL=document.location.href;
  237. } catch(e) {
  238. QC.PL='-';
  239. }
  240.  
  241. try{
  242. QC.RF=document.referrer;
  243. } catch(e) {
  244. QC.RF='-';
  245. }
  246.  
  247. try{
  248. QC.NP=(!(navigator.plugins instanceof PluginArray)||navigator.plugins.length==0)?0:1;
  249. } catch(e) {
  250. QC.NP=-1;
  251. }
  252.  
  253. // can be used to make a callback from the web page with an object passed in
  254. try{
  255. QC.PT=window.callPhantom||window._phantom
  256. } catch(e) {
  257. QC.PT='-';
  258. }
  259.  
  260. // sends small amount of data back
  261. try{
  262. QC.NB=typeof(navigator.sendBeacon)==="function"?1:0;
  263. } catch(e) {
  264. QC.NB=-1;
  265. }
  266.  
  267. // sends back the geolocation
  268. try{
  269. QC.NG=typeof(navigator.geolocation)!=="undefined"?1:0;
  270. } catch(e) {
  271. QC.NG=-1;
  272. }
  273.  
  274. QC.CF=0;
  275.  
  276. // same try block with the FlashDetect class from above
  277. try{
  278. var FlashDetect=new function(){
  279. var self=this;
  280. self.installed=false;
  281. self.raw="";
  282. self.major=-1;
  283. self.minor=-1;
  284. self.revision=-1;
  285. self.revisionStr="";
  286. var activeXDetectRules=[
  287. {"name":"ShockwaveFlash.ShockwaveFlash.7","version":function(obj){return getActiveXVersion(obj)}},
  288. {"name":"ShockwaveFlash.ShockwaveFlash.6","version":function(obj){var version="6,0,21";try{obj.AllowScriptAccess="always";version=getActiveXVersion(obj)}catch(err){}return version}},
  289. {"name":"ShockwaveFlash.ShockwaveFlash","version":function(obj){return getActiveXVersion(obj)}}
  290. ];
  291.  
  292. var getActiveXVersion=function(activeXObj){
  293. var version=-1;
  294.  
  295. try{
  296. version=activeXObj.GetVariable("$version");
  297. } catch(err) {}
  298.  
  299. return version
  300. };
  301.  
  302. var getActiveXObject=function(name){
  303. var obj=-1;
  304.  
  305. try{
  306. obj=new ActiveXObject(name)
  307. } catch(err) {
  308. obj={activeXError:true}
  309. }
  310.  
  311. return obj;
  312. };
  313.  
  314. var parseActiveXVersion=function(str){
  315. var versionArray=str.split(",");
  316.  
  317. return{"raw":str,"major":parseInt(versionArray[0].split(" ")[1],10),"minor":parseInt(versionArray[1],10),"revision":parseInt(versionArray[2],10),"revisionStr":versionArray[2]}
  318. };
  319.  
  320. var parseStandardVersion=function(str){
  321. var descParts=str.split(/ +/);
  322. var majorMinor=descParts[2].split(/\./);
  323. var revisionStr=descParts[3];
  324.  
  325. return{"raw":str,"major":parseInt(majorMinor[0],10),"minor":parseInt(majorMinor[1],10),"revisionStr":revisionStr,"revision":parseRevisionStrToInt(revisionStr)}
  326. };
  327.  
  328. var parseRevisionStrToInt=function(str){
  329. return parseInt(str.replace(/[a-zA-Z]/g,""),10)||self.revision;
  330. };
  331.  
  332. self.majorAtLeast=function(version){
  333. return self.major>=version;
  334. };
  335.  
  336. self.minorAtLeast=function(version){
  337. return self.minor>=version;
  338. };
  339.  
  340. self.revisionAtLeast=function(version){
  341. return self.revision>=version;
  342. };
  343.  
  344. self.versionAtLeast=function(major){
  345. var properties=[self.major,self.minor,self.revision];
  346. var len=Math.min(properties.length,arguments.length);
  347. for(i=0;i<len;i++){
  348. if(properties[i]>=arguments[i]){
  349. if(i+1<len&&properties[i]==arguments[i]){
  350. continue;
  351. } else {
  352. return true;
  353. }
  354. } else {
  355. return false
  356. }
  357. }
  358. };
  359.  
  360. self.FlashDetect=function(){
  361. if(navigator.plugins&&navigator.plugins.length>0){
  362. var type='application/x-shockwave-flash';
  363. var mimeTypes=navigator.mimeTypes;
  364. if(mimeTypes&&mimeTypes[type]&&mimeTypes[type].enabledPlugin&&mimeTypes[type].enabledPlugin.description){
  365. var version=mimeTypes[type].enabledPlugin.description;
  366. var versionObj=parseStandardVersion(version);
  367. self.raw=versionObj.raw;
  368. self.major=versionObj.major;
  369. self.minor=versionObj.minor;
  370. self.revisionStr=versionObj.revisionStr;
  371. self.revision=versionObj.revision;
  372. self.installed=true
  373. }
  374. } else if(navigator.appVersion.indexOf("Mac")==-1&&window.execScript) {
  375. var version=-1;
  376. for(var i=0;i<activeXDetectRules.length&&version==-1;i++){
  377. var obj=getActiveXObject(activeXDetectRules[i].name);
  378. if(!obj.activeXError){
  379. self.installed=true;
  380. version=activeXDetectRules[i].version(obj);
  381. if(version!=-1){
  382. var versionObj=parseActiveXVersion(version);
  383. self.raw=versionObj.raw;
  384. self.major=versionObj.major;
  385. self.minor=versionObj.minor;
  386. self.revision=versionObj.revision;
  387. self.revisionStr=versionObj.revisionStr;
  388. } // end if version != -1
  389. } // end if not activeXError
  390. } // end for loop
  391. } // end else-if check
  392. }() // end FlashDetect constructor
  393. }; // end FlashDetect class
  394.  
  395. if(FlashDetect.major>0){
  396. QC.CF=1;
  397. }
  398. } catch(e) {
  399. QC.CF=2;
  400. } // end try-catch block for FlashDetect
  401.  
  402. try{
  403. QCDone(QC);
  404. } catch(e) {};
  405.  
  406. // the function QCDone takes a single input parameter
  407. // the try-catch blocks will update the submit-form variables in the full html page (this is just an excerpt) that are posted back to the server.
  408. function QCDone(d){
  409. try{
  410. document.getElementById('ci_SW').value=d.SW;
  411. } catch(e) {}
  412.  
  413. try{
  414. document.getElementById('ci_SH').value=d.SH;
  415. } catch(e) {}
  416.  
  417. try{
  418. document.getElementById('ci_WX').value=d.WX;
  419. } catch(e) {}
  420.  
  421. try{
  422. document.getElementById('ci_WY').value=d.WY;
  423. } catch(e) {}
  424.  
  425. try{
  426. document.getElementById('ci_WW').value=d.WW;
  427. } catch(e) {}
  428.  
  429. try{
  430. document.getElementById('ci_WH').value=d.WH;
  431. } catch(e) {}
  432.  
  433. try{
  434. document.getElementById('ci_WIW').value=d.WIW
  435. } catch(e) {}
  436.  
  437. try{
  438. document.getElementById('ci_WIH').value=d.WIH;
  439. } catch(e) {}
  440.  
  441. try{
  442. document.getElementById('ci_WFC').value=d.WFC
  443. } catch(e) {}
  444.  
  445. try{
  446. document.getElementById('ci_PL').value=d.PL
  447. } catch(e) {}
  448.  
  449. try{
  450. document.getElementById('ci_NP').value=d.NP;
  451. } catch(e) {}
  452.  
  453. try{
  454. document.getElementById('ci_PT').value=d.PT;
  455. } catch(e) {}
  456.  
  457. try{
  458. document.getElementById('ci_NB').value=d.NB;
  459. } catch(e) {}
  460.  
  461. try{
  462. document.getElementById('ci_NG').value=d.NG;
  463. } catch(e) {}
  464.  
  465. try{
  466. document.getElementById('ci_DM').value=d.DM;
  467. } catch(e) {}
  468.  
  469. try{
  470. document.getElementById('ci_CF').value=d.CF;
  471. } catch(e){}
  472. }; // end QCDone function
  473. /////////////////////////////////////////////////// end of the eval() decoding ///////////////////////////////////////////////////
  474.  
  475.  
  476.  
  477.  
  478.  
  479. // submit the form element data
  480. window.document.getElementById("submit-form").submit();
  481. } // end function submit()
  482.  
  483. // function that sets the timeout value to true and sends the form data
  484. function submitByTimeout(){
  485. window.document.getElementById("timeout").value=1;
  486. submit();
  487. }
  488.  
  489. // call the submit() function
  490. submit();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!